CVE-2026-8924

curl · curl

A flaw in curl's cookie parsing logic enables an attacker-controlled origin to inject "super cookies" by bypassing Public Suffix List checks, leading to cross-domain data exposure.

Executive summary

A critical cookie parsing vulnerability in curl 7.46.0 through 8.20.0 allows unauthenticated attackers to inject and steal cookies across unrelated domains.

Vulnerability

The vulnerability exists in the cookie parsing logic, which fails to correctly validate domain scopes against the Public Suffix List. An unauthenticated attacker can exploit this by setting a cookie with a trailing dot, allowing the malicious origin to scope the cookie to unrelated third-party domains.

Business impact

With a CVSS score of 9.1 (Critical), this vulnerability poses a severe risk of unauthorized access and session hijacking. An attacker can intercept or inject cookies, leading to the compromise of sensitive user information or authentication tokens, which may result in full account takeover across different services.

Remediation

Immediate Action: Update to curl version 8.21.0 or later to ensure proper cookie parsing and Public Suffix List enforcement.

Proactive Monitoring: Review application-level logs for suspicious cookie headers or unexpected cross-domain cookie transmission patterns.

Compensating Controls: Implement strict Content Security Policy (CSP) headers and ensure that sensitive cookies are marked with appropriate Secure, HttpOnly, and SameSite attributes to minimize the impact of injection.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability represents a critical security risk due to the potential for cross-domain cookie manipulation. All systems using affected versions of curl must be upgraded to 8.21.0 immediately to prevent session hijacking and unauthorized data access.